diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 62f89c2..650010f 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.1.0 +current_version = 4.2.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/README.md b/README.md index 484b7be..2143f2c 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,9 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | 
list(object({
    name        = string
    description = string
    identifer   = string
  }))
| `[]` | no | -| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no | +| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | +| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no | +| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | | [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no | | [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no | | [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | 
list(object({
    name                  = string
    standards_control_arn = string
    control_status        = string
    disabled_reason       = string
  }))
| `[]` | no | diff --git a/main.tf b/main.tf index 67a729f..3dd4970 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,9 @@ module "account" { source = "./modules/account" + auto_enable_controls = var.auto_enable_controls control_finding_generator = var.control_finding_generator + enable_default_standards = var.enable_default_standards } # Manage subscriptions diff --git a/modules/account/README.md b/modules/account/README.md index d5e4a7b..75c3308 100644 --- a/modules/account/README.md +++ b/modules/account/README.md @@ -23,7 +23,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no | +| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | +| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no | +| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | ## Outputs diff --git a/modules/account/main.tf b/modules/account/main.tf index e80ce05..b0ee047 100644 --- a/modules/account/main.tf +++ b/modules/account/main.tf @@ -1,3 +1,5 @@ resource "aws_securityhub_account" "this" { + auto_enable_controls = var.auto_enable_controls control_finding_generator = var.control_finding_generator + enable_default_standards = var.enable_default_standards } diff --git a/modules/account/variables.tf b/modules/account/variables.tf index 5a94461..c5a017b 100644 --- a/modules/account/variables.tf +++ b/modules/account/variables.tf @@ -1,5 +1,17 @@ +variable "auto_enable_controls" { + description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" + type = bool + default = true +} + variable "control_finding_generator" { - description = "(Optional) Updates whether the calling account has consolidated control findings turned on." + description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." type = string default = "SECURITY_CONTROL" } + +variable "enable_default_standards" { + description = "Boolean that automatically enables new controls when they are added to standards that are enabled" + type = bool + default = true +} diff --git a/modules/cross-account-member/README.md b/modules/cross-account-member/README.md index bbc6986..53a80e8 100644 --- a/modules/cross-account-member/README.md +++ b/modules/cross-account-member/README.md @@ -22,7 +22,9 @@ No resources. |------|-------------|------|---------|:--------:| | [member\_email](#input\_member\_email) | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes | | [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | 
list(object({
    name        = string
    description = string
    identifer   = string
  }))
| `[]` | no | -| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no | +| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | +| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no | +| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | | [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no | | [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no | | [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | 
list(object({
    name                  = string
    standards_control_arn = string
    control_status        = string
    disabled_reason       = string
  }))
| `[]` | no | diff --git a/modules/cross-account-member/main.tf b/modules/cross-account-member/main.tf index 2120c6a..83dacce 100644 --- a/modules/cross-account-member/main.tf +++ b/modules/cross-account-member/main.tf @@ -3,7 +3,9 @@ module "account" { source = "../../" action_targets = var.action_targets + auto_enable_controls = var.auto_enable_controls control_finding_generator = var.control_finding_generator + enable_default_standards = var.enable_default_standards product_subscription_arns = var.product_subscription_arns standard_subscription_arns = var.standard_subscription_arns standards_controls = var.standards_controls diff --git a/modules/cross-account-member/variables.tf b/modules/cross-account-member/variables.tf index b75c593..610452f 100644 --- a/modules/cross-account-member/variables.tf +++ b/modules/cross-account-member/variables.tf @@ -13,12 +13,24 @@ variable "action_targets" { default = [] } +variable "auto_enable_controls" { + description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" + type = bool + default = true +} + variable "control_finding_generator" { - description = "(Optional) Updates whether the calling account has consolidated control findings turned on." + description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." type = string default = "SECURITY_CONTROL" } +variable "enable_default_standards" { + description = "Boolean that automatically enables new controls when they are added to standards that are enabled" + type = bool + default = true +} + variable "product_subscription_arns" { description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html" type = list(string) diff --git a/variables.tf b/variables.tf index 67976c0..d816beb 100644 --- a/variables.tf +++ b/variables.tf @@ -8,27 +8,22 @@ variable "action_targets" { default = [] } -variable "standards_controls" { - description = "List of Security Hub standards to enable or disable in current region." - type = list(object({ - name = string - standards_control_arn = string - control_status = string - disabled_reason = string - })) - default = [] +variable "auto_enable_controls" { + description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" + type = bool + default = true } variable "control_finding_generator" { - description = "(Optional) Updates whether the calling account has consolidated control findings turned on." + description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." type = string default = "SECURITY_CONTROL" } -variable "standard_subscription_arns" { - description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html" - type = list(string) - default = [] +variable "enable_default_standards" { + description = "Boolean that automatically enables new controls when they are added to standards that are enabled" + type = bool + default = true } variable "product_subscription_arns" { @@ -36,3 +31,20 @@ variable "product_subscription_arns" { type = list(string) default = [] } + +variable "standard_subscription_arns" { + description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html" + type = list(string) + default = [] +} + +variable "standards_controls" { + description = "List of Security Hub standards to enable or disable in current region." + type = list(object({ + name = string + standards_control_arn = string + control_status = string + disabled_reason = string + })) + default = [] +}